CVE-2026-23896 Overview
CVE-2026-23896 is a privilege escalation vulnerability affecting Immich, a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system.
This vulnerability stems from improper privilege management (CWE-269) in the API key handling mechanism, where the application fails to properly validate permission changes requested through the API update endpoint.
Critical Impact
Attackers with low-privilege API access can escalate to full administrative control, potentially compromising all stored photos, videos, and user data within the Immich installation.
Affected Products
- Immich versions prior to 2.5.0
Discovery Timeline
- 2026-01-29 - CVE CVE-2026-23896 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-23896
Vulnerability Analysis
This privilege escalation vulnerability allows API keys to modify their own permission levels through the update endpoint. The root cause lies in the application's failure to implement proper authorization checks when processing API key update requests. When a user or automated process makes an API call to update their API key's permissions, the system does not verify whether the requesting key has the authority to grant such elevated privileges.
The vulnerability enables an attacker who possesses a low-privilege API key to craft a request that upgrades their key to administrative status. Once escalated, the attacker gains full control over the Immich installation, including access to all stored media, user management capabilities, and system configuration options.
Root Cause
The vulnerability is classified under CWE-269 (Improper Privilege Management). The Immich application prior to version 2.5.0 lacks proper validation logic in the API key update endpoint. When processing permission modification requests, the system fails to verify that the requesting API key has sufficient privileges to grant the requested permission level. This allows any API key holder to self-escalate their permissions to the highest privilege level available in the system.
Attack Vector
The attack is conducted over the network and requires the attacker to have an existing API key with any privilege level. The attacker sends a crafted request to the API key update endpoint, specifying elevated permissions for their own key. Since the vulnerable endpoint does not validate whether the requesting key has authorization to grant such permissions, the request is processed successfully, and the API key receives administrative privileges.
The attack does not require user interaction and can be executed programmatically. An attacker with even minimal API access can leverage this vulnerability to gain complete administrative control over the Immich instance, including access to all user accounts, stored photos and videos, and system settings.
Detection Methods for CVE-2026-23896
Indicators of Compromise
- Unexpected API key permission changes in application logs
- API keys with elevated privileges that were originally created with limited permissions
- Audit trail showing self-modification of API key permissions
- Unusual administrative actions performed by previously low-privilege API keys
Detection Strategies
- Monitor API endpoint logs for calls to the API key update endpoint
- Implement alerting on any permission elevation events
- Review API key permission histories for unauthorized changes
- Deploy web application firewalls (WAF) rules to detect suspicious API update patterns
Monitoring Recommendations
- Enable verbose logging for all API key management operations
- Establish baseline API key permission profiles and alert on deviations
- Implement real-time monitoring for privilege escalation patterns in API traffic
- Conduct regular audits of API key permissions against intended access levels
How to Mitigate CVE-2026-23896
Immediate Actions Required
- Upgrade Immich to version 2.5.0 or later immediately
- Audit all existing API keys for unauthorized permission escalations
- Revoke and regenerate API keys that may have been compromised
- Review application logs for any evidence of exploitation attempts
Patch Information
The vulnerability has been addressed in Immich version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to the Immich API to trusted sources only
- Implement additional authentication layers (VPN, IP allowlisting) for API access
- Monitor and audit API key usage patterns until the patch can be applied
- Consider temporarily disabling API key functionality if not critical to operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
